When elevated place clean room in system Temp folder

To prevent DLL hijacking the clean room process when launched elevated,
the system Temp folder will be used instead of the user's temp folder.
This ensures the user cannot slip malicious DLLs into the clean room.

Fixes wixtoolset/issues#5724

Author: robmen

history/5724.md

@@ -0,0 +1 @@
+* RobMen - WIXBUG:5724 - fix DLL hijack of clean room when bundle launched elevated.

src/burn/engine/cache.cpp

@@ -1104,13 +1104,29 @@ static HRESULT CalculateWorkingFolder(
 {
     HRESULT hr = S_OK;
     RPC_STATUS rs = RPC_S_OK;
+    BOOL fElevated = FALSE;
     WCHAR wzTempPath[MAX_PATH] = { };
     UUID guid = {};
     WCHAR wzGuid[39];
 
     if (!vsczWorkingFolder)
     {
-        if (0 == ::GetTempPathW(countof(wzTempPath), wzTempPath))
+        ProcElevated(::GetCurrentProcess(), &fElevated);
+
+        if (fElevated)
+        {
+            if (!::GetWindowsDirectoryW(wzTempPath, countof(wzTempPath)))
+            {
+                ExitWithLastError(hr, "Failed to get windows path for working folder.");
+            }
+
+            hr = PathFixedBackslashTerminate(wzTempPath, countof(wzTempPath));
+            ExitOnFailure(hr, "Failed to ensure windows path for working folder ended in backslash.");
+
+            hr = ::StringCchCatW(wzTempPath, countof(wzTempPath), L"Temp\\");
+            ExitOnFailure(hr, "Failed to concat Temp directory on windows path for working folder.");
+        }
+        else if (0 == ::GetTempPathW(countof(wzTempPath), wzTempPath))
         {
             ExitWithLastError(hr, "Failed to get temp path for working folder.");
         }